SoylentNews is people
SoylentNews is powered by your submissions, so send in your scoop. Only 16 submissions in the queue.
SoylentNews
posted by
martyb
on Thursday March 14 2019, @02:30PM
from the certs-are-not-just-a-breath-mint dept.
from the certs-are-not-just-a-breath-mint dept.
With many thanks to The Mighty Buzzard riding shotgun and helping me through some misunderstandings, I updated the certificates (certs) for all of SoylentNews' domains. Our certs are now good through: Wednesday, June 12, 2019.
Everything seemed to go as expected. If you experience any issues, please mention them here, or pop onto our IRC channel using your favorite client or the web interface and speak up in the #dev or #Soylent channel.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
You will experience a strong urge to do good; but it will pass.
(Score: 2) by NotSanguine on Thursday March 14 2019, @04:36PM (11 children)
Yes. Your hard work makes this place go. I know I appreciate it. Thanks to you and all the volunteers!
As an aside, I'm curious why it was complicated. I just updated several Let's Encrypt certs on one of my servers and installed a new Let's Encrypt cert on a new server a few hours ago. Using Certbot [gentoo.org] it took less than 30 seconds to renew three certs (via 'certbot renew') and almost ten minutes (as I had to use 'certbot certonly' and then modify my http server config and restart) for the new server.
I'm not poking you or Buzzard, I'm genuinely curious as to what's more complicated, aside from having to replicate the certs to multiple servers.
In fact, when renewing my certs I chastised myself for not just automating the process.
Perhaps a cron job that runs every 6-8 weeks like this:
#!/bin/sh
#
# Renew certs
/usr/bin/certbot renew
for i in host1 host2 ... hostn
/usr/bin/scp [path to renewed cert] ${i}:[path to cert]
Or something similar. I'm probably missing some complexity in the SN environment, but like I said I'm curious.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by martyb on Thursday March 14 2019, @05:04PM (2 children)
As this was my very first time ever updating certs, that just might have been a factor. I have a high-level concept of DNS and certs, but actually messing around with actual files and their syntax... let's just say I was very cautious.
A long time ago I came upon some words of wisdom that have served me well:
I knew I did not understand, so I took my time as I went. Here's another:
Until it is absolutely clear what ALL the success -- and failure -- paths are, my experience has been that it is best to keep a human in the loop.
For further details on possible additional automation I will have to defer to the others on staff who have way more experience with this than I do.
Wit is intellect, dancing. I'm too old to act my age. Life is too important to take myself seriously.
(Score: 2) by NotSanguine on Thursday March 14 2019, @05:22PM
As the wonderful G.B. Shaw said:
I try to be unreasonable. :)
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Friday March 15 2019, @03:02AM
This demonstrates the attitude of a good sys admin.
https://xkcd.com/705/ [xkcd.com]
(Score: 3, Informative) by The Mighty Buzzard on Thursday March 14 2019, @06:00PM (7 children)
dns-01 challenges are required for wildcard certs. I don't want to automate DNS changes, I prefer to screw those up on my own. Otherwise it would be a "run this script and go back to what you were doing" thing.
My rights don't end where your fear begins.
(Score: 2) by NotSanguine on Thursday March 14 2019, @06:35PM
That's sensible. I'm not a huge fan of wildcard certs, but I can see how they'd be quite useful in the SN environment.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by NewNic on Thursday March 14 2019, @08:30PM (5 children)
Don't use wildcards.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by The Mighty Buzzard on Thursday March 14 2019, @09:41PM (4 children)
We have many different things serving up http pages for all the hostnames we have on many different boxes. And we have hostnames that don't have web content associated with them at all. It was always a much bigger pain in the ass managing the multi-name certs than having to manually update four values in DNS every few months.
My rights don't end where your fear begins.
(Score: 2) by NewNic on Thursday March 14 2019, @09:55PM (3 children)
For a traditional certificate issuance, I can see that. With Let's Encrypt, it is trivial to manage multi-name certs. For those machines without a web server, you can use the Standalone plugin, which starts its own web server.
Oh well, if you want to persist with an error-prone and time wasting process, who am I to argue with you.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by The Mighty Buzzard on Friday March 15 2019, @12:38AM (2 children)
You're not understanding how much of a mess our setup is. If you put all the hostnames that just beryllium uses in one cert, you have to make more than one webserver with many different vhosts on them serve the right response for each and every vhost (certbot trying to do this automatically breaks half the vhosts), then you have to make the multiple irc hostnames serve up the proper response, then you have to make the mail server hostnames serve up the right response. And when you want to add or remove a hostname from use on the box, you have to redo the cert from scratch.
Seriously, it's much quicker and easier to use a wildcard cert. I've never had a multihost SN cert take less than an hour worth of work to renew.
My rights don't end where your fear begins.
(Score: 2) by NewNic on Friday March 15 2019, @06:53PM (1 child)
No, you exclude the "/.well-known" location from the Vhosts. This can be achieved with an alias command.
https://community.letsencrypt.org/t/apache-multidomain-webroot/10663 [letsencrypt.org]
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by The Mighty Buzzard on Saturday March 16 2019, @12:43AM
Or I could do like I'm doing and never have to touch the configs of anything but the one we pull the cert from. And never have to remake the entire enormous cert, hoping I don't miss a hostname but knowing I will, if Deucalion thinks we need a new IRC hostname on one of the existing boxes.
My rights don't end where your fear begins.